On March 19, 2020, the European Data Protection Board (EDPB or Board), the principal body that ensures consistent application of the General Data Protection Regulation (GDPR), issued a statement regarding the processing of sensitive personal data in the midst of the Coronavirus pandemic. While the Board emphasized that personal data protection is not intended to impede an effective response, data protection obligations still apply during the pandemic with limited alterations. The Board’s statements are indicative of the way in which national supervisory bodies will likewise approach these issues, which already seem significantly aligned with the Board’s guidance.
The EDPB reminds controllers that public health authorities have existing rights to gather health data under Articles 6 and 9 of the GDPR, but employers may be able to gather health data when necessary for the protection of public health or to protect the vital interests of the data subject. The Board reminds employers that, to the extent necessary and in addition to the general obligations under the GDPR, processing of such sensitive personal data should adhere to the following precepts:
- Transparency and Purpose Limitation: Employers should collect sensitive personal data only after transparency requirements are satisfied and ensure that the collection is only for the limited purpose for which the employer collects and processes the sensitive personal data. The Board reminds employers, though, that the processing of sensitive personal data may be subject to additional limitations laid down by national law.
- Appropriate Security Measure: The Board reminds employers that the processing of sensitive personal data should be done using appropriate security measures. The Board, however, did not provide additional guidance on what security measures would be appropriate in this context.
- Cooperation with Public Health Authorities: The Board recognizes that many national laws relating to employee health and safety may require employers to provide personal data and other information to public health authorities about employees who contract the Coronavirus. The Board states that processing of such personal data to comply with these obligations is permitted under the GDPR.
- Disclosure of Health Data: The Board notes that employers should notify employees if a colleague has tested positive for the Coronavirus but should not reveal more information than necessary. If it is necessary to provide the name of the employee that tested positive, the Board reminds employers of their obligation to first inform the impacted employee prior to disclosure.
While the EDPB acknowledges that some governments are considering the possibility of using mobile device location data to assist in tracking and containing the spread of the Coronavirus, the Board encourages employers, or any controller for that matter, to use anonymized data where possible. The Board reiterates that, if controllers cannot anonymize the personal data, then—under Article 15 of the ePrivacy Directive—member states can introduce legislation to allow the processing of non-anonymized location data, but they have an obligation to adopt adequate safeguards, such as a right to a judicial remedy, if they do so. It also reminds controllers of their proportionality obligations and suggests that controllers leverage less intrusive means to protect public health, where possible.
Relatedly, the UK’s Information Commissioner’s Office (ICO) issued guidance to employers on handling sensitive personal data relating to the Coronavirus. It specifically addresses the challenges presented by the need to appropriately balance the collection and processing of sensitive personal data protection and public health. According to the ICO, while it is appropriate to ask employees if they are experiencing symptoms or have traveled to countries where the risk of infection is high, employers should not gather significant amounts of additional health information from employees. Likewise, the guidance reiterates the information in the Board’s statement that employers can, and should, notify employees if a colleague has tested positive and can share similar information with public health organizations.
Similar guidance has been issued by the following national supervisory authorities: Belgium, Czech Republic, Denmark, Finland, France, Germany, Hungary, Iceland, Ireland, Lithuania, Luxembourg, Netherlands, Norway, Poland, Slovakia, Slovenia, Spain, and Sweden.
Finally, the ICO recently indicated that it will provide certain allowances for compliance. Specifically, the UK supervisory authority indicates that it will relax enforcement on otherwise strict deadlines to comply with data subject rights in light of the strain on both human and financial resources that the coronavirus has presented to many controllers. Other national supervisory authorities are following suit, including Ireland’s Data Protection Commission.
The Board’s statement and the guidance from member states makes clear that data privacy and security obligations persist even in the face of a global pandemic. With staggering enforcement powers of up to 20 million Euros o 4% of a company’s global annual turnover, it is important that companies remain vigilant and consider the impacts of data privacy and protection compliance when collecting additional personal data from employees, contractors, customers, or guests.
If you have any questions regarding these issues, questions or concerns about compliance with privacy requirements, or how your organization can improve its compliance posture, please contact Matthew Baker, Neil Coulson, or any member of Baker Botts’ Privacy and Data Security team.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm of approximately 700 lawyers practicing throughout a network of 12 offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology, and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.